hello, I have setup a freeradius server version 2.1.7 using ldap for authentication. What i'm having trouble understanding is that in my users file i have a local user called admin. The default user account (for ldap) is listed before the admin account in the users file. since i have not configured Fall-Through i would expect the admin account to not be accessible if ldap query fails, but it is accessible. is my assumption wrong? here is the output from my user file. DEFAULT Huntgroup-Name == "network-admin", Ldap-Group == "networkadmins" Service-Type := NAS-Prompt-User, cisco-avpair := "shell:priv-lvl=15", # Auth-Type := LDAP admin Cleartext-Password := "Bl@rd3Ry" Service-Type := NAS-Prompt-User, cisco-avpair := "shell:priv-lvl=15" DEFAULT Auth-Type := Reject Reply-Message := "Access Denied. Your attemp has been logged."
Aqdas Muneer wrote:
I have setup a freeradius server version 2.1.7 using ldap for authentication. What i'm having trouble understanding is that in my users file i have a local user called admin. The default user account (for ldap) is listed before the admin account in the users file. since i have not configured Fall-Through i would expect the admin account to not be accessible if ldap query fails, but it is accessible. is my assumption wrong?
No. But if the DEFAULT doesn't match, it will try the "admin" entry. Again... run it in debugging mode to see what's happening. In this case, you *will* see that (a) the request isn't coming from that huntgroup, or (b), the user isn't in that LDAP group. Alan DeKok.
thank you for the quick response. the reason i created the admin account was for use during ldap outages and you are correct that this account does not exist in ldap. what would be a better way to go about accomplishing this. i want the admin account to be only available during times when the ldap module returns 'fail'? On Mon, Aug 16, 2010 at 4:53 PM, Alan DeKok <aland@deployingradius.com>wrote:
Aqdas Muneer wrote:
I have setup a freeradius server version 2.1.7 using ldap for authentication. What i'm having trouble understanding is that in my users file i have a local user called admin. The default user account (for ldap) is listed before the admin account in the users file. since i have not configured Fall-Through i would expect the admin account to not be accessible if ldap query fails, but it is accessible. is my assumption wrong?
No. But if the DEFAULT doesn't match, it will try the "admin" entry.
Again... run it in debugging mode to see what's happening. In this case, you *will* see that (a) the request isn't coming from that huntgroup, or (b), the user isn't in that LDAP group.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Aqdas Muneer wrote:
thank you for the quick response. the reason i created the admin account was for use during ldap outages and you are correct that this account does not exist in ldap. what would be a better way to go about accomplishing this. i want the admin account to be only available during times when the ldap module returns 'fail'?
Put this into the "authorize" section: authorize { ... ldap { fail = 1 } if (fail) { do things } ... } The "do things" text should be replaced by your actual policies. i.e. check for "admin" account, update password, etc. See "man unlang" for details. Alan DeKok.
thanks you i tired that and it worked great. if you dont mind can you tell me please why we had to set "fail = 1"? the reason i ask is that in my policy i have a 'notfound' statement and it works just fine, but for fail i have to set it to 'fail = 1'. below is the policy i have in place ldap { fail = 1 } if (fail){ files } elsif (notfound) { update reply { Reply-Message = "Cannot use this user account" } reject } Another question i have is that can i put in an unlang statement in the post-auth-type reject to put in an update reply when the ldap server failed and the user was not found in the fallback files. this way the user can be prompted to use the fall back username/password thanks for all your help in this matter. On Tue, Aug 17, 2010 at 7:23 AM, Alan DeKok <aland@deployingradius.com>wrote:
Aqdas Muneer wrote:
thank you for the quick response. the reason i created the admin account was for use during ldap outages and you are correct that this account does not exist in ldap. what would be a better way to go about accomplishing this. i want the admin account to be only available during times when the ldap module returns 'fail'?
Put this into the "authorize" section:
authorize { ... ldap { fail = 1 } if (fail) { do things } ... }
The "do things" text should be replaced by your actual policies. i.e. check for "admin" account, update password, etc. See "man unlang" for details.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Aqdas Muneer